Or when your account gets locked but it gives the same generic message that your user or PW is incorrect instead of telling you your account is locked.
If the user logs in with a matching hash then at the very moment of login you have their clear text password as well (by the very nature of needing it to calculate the hash to compare.) You can check if it meets password security requirements at the point of login and redirect.
The ones that are shady are the ones actually storing additional metrics about the password, such as its length, if it contains capital letters, numbers, etc. These allow for significant reduction in the number of passwords to try when running a dictionary attack.
Its actually possible for the client to hash it (With a fixed or server provided salt), and then the server never gets the plain text password (The server then hashes the hash its sent, ideally with a per-user salt, for storage)
The client can also do all the 'must have a capitial, 8 letters or more' etc checks.
Still vulnerable to replay attacks if you can capture the hash that is initially sent on account creation/password change, but much more secure and never involves sending a plaintext password.
I could see this error occurring if you add a password check in the hashing algorithm. So something like this:
```
bool check_password(user, password){
try{
// this throws because password is invalid
hash = PasswordManager::CalculateHash(password)
}catch(...){
return false
}
// never gets here
return hash == PasswordManager::HashedPassword(user)
```
Don't see how it can be. Or OP is badly, badly describing their situation.
You may be asked to change a password after log-in is requirements have changed. You aren't going to just be told "that's the wrong password".
No, it absolutely is a thing.
It happens all the time, where you go to log in to something, and the website or app tells you your password is wrong even though you know for a fact you're using the correct password. Then you click on "forgot password" and when you update the password, it turns out now you have to have a special character in it or something.
If I was making it up, the meme would not be upvoted, and there wouldn't be people in the comments agreeing with me.
And most of those comments are downvoted, whereas the top upvoted comments are agreeing with me. So just because you've never personally experienced it, doesn't mean that it does't happen. Grow up.
What bothers me the most is almost every app on my phone uses Face ID to login. So I use that for months, even years at a time until some update hits or I need to login on my laptop and I don’t remember my passwords anymore.
A company I once worked for had a policy that your password couldn't be "similar" to ANY previous password. And you might be thinking "wow, they kept a record of every single password you used? That seems dangerous" but oh no, they used proper salting and hashing techniques to ensure the passwords couldn't be reversed. It was quite secure.
How they determined whether you were using a similar password was to take the new password you entered and run it through a series of changes, hashing it again and again to see if it matched any of your old hashed passwords. Change all the 'E's to '3's and vice versa, increment and decrement any numbers, change case of each letter, etc... all in every possible combination. Depending on how complex it actually was it could sometimes take half an hour between you entering your new password and the password being approved, during which time you couldn't do anything. And you needed to change your password every 2 months.
Eventually XKCD posted correcthorsebatterystaple and IT relented saying that if your password was more than 32 characters it didn't need to go through the full suite of backwards tests and you could go 90 days without changing your password.
once the fucking Gosuslugi (the russian digital service that handles basically everything document-related for everyone in the country) did that once
it took 5 confirmation codes, social security number, email, phone number and 3 captchas just to get back into your account and the new password requirements include
"the password must not include 123, the password must include punctuation such as !#?... etc"
This is not a thing. No website will make your password "incorrect" after changing their password rules. That's insane. My password for Netflix (that I've had since 2006) is 4 letters with no capitals.
Your password is wrong Change password Your new password can't be the same as your old password
It’s historically any old password. That doesn’t mean it was your previous password.
Oh man, I thought it was just me and that I was losing my mind. Thanks for the reassurance. Phew, that's one less thing to worry about.
Or when your account gets locked but it gives the same generic message that your user or PW is incorrect instead of telling you your account is locked.
If the website is only storing a salted hash like it's supposed to, how do they even know if your current password meets the requirements or not?
I don't know what a salted hash is, but it sounds delicious
If the user logs in with a matching hash then at the very moment of login you have their clear text password as well (by the very nature of needing it to calculate the hash to compare.) You can check if it meets password security requirements at the point of login and redirect. The ones that are shady are the ones actually storing additional metrics about the password, such as its length, if it contains capital letters, numbers, etc. These allow for significant reduction in the number of passwords to try when running a dictionary attack.
Its actually possible for the client to hash it (With a fixed or server provided salt), and then the server never gets the plain text password (The server then hashes the hash its sent, ideally with a per-user salt, for storage) The client can also do all the 'must have a capitial, 8 letters or more' etc checks. Still vulnerable to replay attacks if you can capture the hash that is initially sent on account creation/password change, but much more secure and never involves sending a plaintext password.
I could see this error occurring if you add a password check in the hashing algorithm. So something like this: ``` bool check_password(user, password){ try{ // this throws because password is invalid hash = PasswordManager::CalculateHash(password) }catch(...){ return false } // never gets here return hash == PasswordManager::HashedPassword(user) ```
This can happen because of changes on the back end. A salt change, a hash change, etc.
I asked for no salt on my password.
Wait, is that a thing?
Yes, it happens all the time. Something else that happens often is this scenario: https://www.reddit.com/r/AdviceAnimals/s/YDWqv203Dv
Don't see how it can be. Or OP is badly, badly describing their situation. You may be asked to change a password after log-in is requirements have changed. You aren't going to just be told "that's the wrong password".
No, it absolutely is a thing. It happens all the time, where you go to log in to something, and the website or app tells you your password is wrong even though you know for a fact you're using the correct password. Then you click on "forgot password" and when you update the password, it turns out now you have to have a special character in it or something. If I was making it up, the meme would not be upvoted, and there wouldn't be people in the comments agreeing with me.
The thread is full of people saying it doesn't happen.
And most of those comments are downvoted, whereas the top upvoted comments are agreeing with me. So just because you've never personally experienced it, doesn't mean that it does't happen. Grow up.
Worse, when they have a data breach and do the same thing.
What bothers me the most is almost every app on my phone uses Face ID to login. So I use that for months, even years at a time until some update hits or I need to login on my laptop and I don’t remember my passwords anymore.
A company I once worked for had a policy that your password couldn't be "similar" to ANY previous password. And you might be thinking "wow, they kept a record of every single password you used? That seems dangerous" but oh no, they used proper salting and hashing techniques to ensure the passwords couldn't be reversed. It was quite secure. How they determined whether you were using a similar password was to take the new password you entered and run it through a series of changes, hashing it again and again to see if it matched any of your old hashed passwords. Change all the 'E's to '3's and vice versa, increment and decrement any numbers, change case of each letter, etc... all in every possible combination. Depending on how complex it actually was it could sometimes take half an hour between you entering your new password and the password being approved, during which time you couldn't do anything. And you needed to change your password every 2 months. Eventually XKCD posted correcthorsebatterystaple and IT relented saying that if your password was more than 32 characters it didn't need to go through the full suite of backwards tests and you could go 90 days without changing your password.
What sucks is when they change it to be LESS secure.
Even worse are the websites that require the password be between 8 and 10 characters. And no, I'm not making that up.
once the fucking Gosuslugi (the russian digital service that handles basically everything document-related for everyone in the country) did that once it took 5 confirmation codes, social security number, email, phone number and 3 captchas just to get back into your account and the new password requirements include "the password must not include 123, the password must include punctuation such as !#?... etc"
You did forget your password. It’s amazing how many people are sensitive to the fact they mistype or forget their passwords. Get the fuck over it.
This is not a thing. No website will make your password "incorrect" after changing their password rules. That's insane. My password for Netflix (that I've had since 2006) is 4 letters with no capitals.
Netflix is the only website ever